Re: DHCP config

From: Rich Collins (nilsi2002@gmail.com)
Date: Tue Sep 25 2007 - 18:59:02 ART

• Next message: Wilson, Ryan # Atlanta: "RE: General Redistribution Question"
• Previous message: SCD: "Scoring method followed in report"
• Maybe in reply to: nicky noname: "DHCP config"
• Next in thread: Ben: "Re: DHCP config"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I just tried a quick lab-up

ip dhcp pool TEST
   network 10.20.71.0 255.255.255.0
   update arp
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 10.20.71.1 255.255.255.0
arp authorized

I don't see anything obvious that it is a secure arp entry other than
checking the debug.

debug ip dhcp server ...

Sep 25 21:33:24.224: DHCPD: Sending DHCPACK to client
0063.6973.636f.2d30.3031.392e.3535.6266.2e38.6563.362d.4769.302f.3131 (
10.20.71.2).
Sep 25 21:33:24.224: DHCPD: Creating secure ARP entry (10.20.71.2,
0019.55bf.8ec6).
Sep 25 21:33:24.224: DHCPD: broadcasting BOOTREPLY to client 0019.55bf.8ec6.

THIS IS THE DHCP SERVER
Router1#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
                    Hardware address/
                    User name
10.20.71.2 0063.6973.636f.2d30. Sep 26 2007 05:33 PM
Automatic
                    3031.392e.3535.6266.
                    2e38.6563.362d.4769.
                    302f.3131

Router1#sh arp
Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.20.71.1 0 0019.a986.941b ARPA
GigabitEthernet0/11
Internet 10.20.71.2 - 0019.55bf.8ec6 ARPA
GigabitEthernet0/11

On 9/25/07, Ben <bmunyao@gmail.com> wrote:
>
>
> Nicky
>
> You may find the following URL useful.
>
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hiad_c/ch10/hipdhcpa.htm
>
>
> HTH
>
> Ben
>
>
> On 9/25/07, Gary Duncanson <gary.duncanson@googlemail.com> wrote:
> >
> > Hi Rich,
> >
> > Other than the cisco.com link to DHCP and arp authorised..
> >
> > Chapter 21 Security in Odom covers features such as Dynamic ARP
> > inspection
> > (DAI), DHCP Snooping and IP Source Guard. Combinations of these features
> > should offer lots of scope for secure arp.
> >
> > HTH
> > Gary
> > ----- Original Message -----
> > From: "Rich Collins" <nilsi2002@gmail.com>
> > To: "nicky noname" <cisco2study@gmail.com >
> > Cc: "Cisco certification" <ccielab@groupstudy.com>
> > Sent: Tuesday, September 25, 2007 2:25 PM
> > Subject: Re: DHCP config
> >
> >
> > > Well I believe in general if you don't specify database then all
> > bindings
> > > are stored locally (whether secure or not). I am interested in
> > hearing
> > > more
> > > about working with secure arp though.
> > >
> > > On 9/24/07, nicky noname < cisco2study@gmail.com> wrote:
> > >>
> > >> thanks rich... I haven't seen...I will try it out. I guess this is
> > what
> > >> would be required, if you are not explicitlt told of a place to store
> > the
> > >> database.
> > >>
> > >> nic
> > >>
> > >> On 9/24/07, Rich Collins <nilsi2002@gmail.com> wrote:
> > >> >
> > >> > If you want to do it locally isn't it enough to add this under the
> > dhcp
> > >> > pool?
> > >> > ip dhcp pool MYNET
> > >> > ....
> > >> > update arp
> > >> > ...
> > >> >
> > >> > I think I read it somewhere that you need a corresponding
> > >> >
> > >> > arp authorized under the 'interface'.
> > >> >
> > >> > Rich
> > >> >
> > >> >
> > >> >
> > >> >
> > >> >
> > >> > On 9/24/07, nicky noname < cisco2study@gmail.com> wrote:
> > >> >
> > >> > > Hello,
> > >> > >
> > >> > > I am playing around with the IOS DHCP settings and i want to
> > provide
> > >> > > DHCP
> > >> > > services to secure arp requests only.
> > >> > >
> > >> > > I though this was done by the command
> > >> > >
> > >> > > ip dhcp database XXXX
> > >> > >
> > >> > > Is this the only manner. I was hoping you could configure it
> > locally.
> > >> > > This
> > >> > > command is looking for a specified URL.
> > >> > > I have read through doc cd...it's not great for this.
> > >> > >
> > >> > > regards
> > >> > > nic
> > >> > >
> > >> > >
> > _______________________________________________________________________
> > >> > >
> > >> > > Subscription information may be found at:
> > >> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

• Next message: Wilson, Ryan # Atlanta: "RE: General Redistribution Question"
• Previous message: SCD: "Scoring method followed in report"
• Maybe in reply to: nicky noname: "DHCP config"
• Next in thread: Ben: "Re: DHCP config"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:16 ART